Yeah it is a risk, but so is it a risk for anything. Can you really trust the CPU, RAM, BIOS, USB-C cable etc on your desk? Maybe those have backdoors too?
But that is adversarial and is to be expected.
At least for these sort of cooperative partnerships that I am aware of in enterprise, there are typically provisions in contracts for code-access, verifiable builds, ability to reject updates and so on and so on. I don't know if these provisions exist in the sovereign cloud contracts that the cloud companies are building, but I would be really surprised if they went to all this trouble replicating Azure/GCP/etc in entirely air-gapped data centers with duplicated staff and hardware and all that, but don't bother to vet the code they get!
But that is adversarial and is to be expected.
At least for these sort of cooperative partnerships that I am aware of in enterprise, there are typically provisions in contracts for code-access, verifiable builds, ability to reject updates and so on and so on. I don't know if these provisions exist in the sovereign cloud contracts that the cloud companies are building, but I would be really surprised if they went to all this trouble replicating Azure/GCP/etc in entirely air-gapped data centers with duplicated staff and hardware and all that, but don't bother to vet the code they get!